Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/29/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Ransomware, New Privacy Laws Are Top Security Concerns for 2019

It's never too early for New Year's predictions. The Information Security Forum is focused on four areas for 2019: ransomware; new privacy laws and regulations; IoT; and supply chain.

In 2019, enterprise security will be all about the data: where it is, who has access to it and who is protecting it.

For Steve Durbin, the managing director of the non-profit Information Security Forum (ISF) that focuses on data and how best to protect it, 2019 will mark a return to a more traditional approach to InfoSec, with less emphasis on the cyber attack of the day.

"For me, 2019 is all about information security really coming back on trend," Durbin told Security Now in an interview before the organization released its list of the top security trends for 2019. "We have talked a lot about cyber, but for me [2019] is more about traditional information security. It's about data and how that data can be shared, potentially compromised, and I think that is the overarch. It's all about digital data and the implications of that."

In fact, ISF's top security concerns for 2019 -- increasingly sophisticated ransomware attacks, concerns about new privacy laws, the trouble with an increasingly connected world, and rethinking the global supply chain -- all have these concerns about company data at their heart.

As Durbin explained:

It's going right back to the data, to the information, and so it's about confidentiality, integrity, and availability -- the traditional InfoSec elements. Of course, you have people talking about technology and that's off to one side, but for me it's the CIA in InfoSec that we are talking about and how it relates to that specific data, whether it's around assets or personal information or whatever that might be. So, it's that zeroing in on those traditional security arguments. I think in the past, we got excited about cyber and what you could do with all that stuff and for me 2019 is about people saying, "Let's draw that back a bit and talk more about how we protect data assets."

That notion of protecting data is at the heart of why ransomware remains a major concern. Although somewhat eclipsed in 2018 by the rise of cryptomining and cryptojacking attacks, ransomware remains the overarching concern of enterprises, whether it's large firms or smaller businesses. (See WannaCry Continues Rampage 18 Months After First Outbreak.)

One major concern is the increasingly sophisticated nature of ransomware, where the person or persons behind the attack are willing to spend more time mapping a corporate network and disabling the back-up systems, or encrypting the back-up files, in order to increase the pressure on the company to pay the ransom.

It's an issue Sophos Labs touched on in a recent report that focuses on ransomware campaigns such as SamSam. (See Sophos: 'Living off the Land' Is the Law of the Land.)

Additionally, cybercriminals are bundling different attacks together as ransomware spreads, as well as sharing information and best practices. This gives rise to the issue of ransomware-as-a-service. (See Kraken Cryptor Update Points to Rise of Ransomware-as-a-Service.)

"We're seeing two different trends with cybergangs. One, they are becoming much more collaborative … so they will share information about what works and what doesn't work, and they are becoming much more patient," Durbin said. "So, we know that you can live on a corporate network for months without being detected and that's allowing them to see how the systems work and where the back-ups are and that's a real danger for all organizations."

The flipside of cybercrime is, of course, the law, and increasingly governments are creating new rules and regulations designed to address concerns about data breaches and other types of attacks.

These regulations, best exemplified by the European Union's General Data Protection Regulation (GDPR), are increasing, with countries such as China, Russia and Vietnam all updating or putting new laws on the books. (See GDPR Presents New Challenges in Backup & Disaster Recovery Management .)

In the US, California is setting new standards for data privacy and protection, although a federal law does not seem like a possibility yet. (See California Looks to Pass Rudimentary IoT Security Legislation.)

For Durbin, 2019 will be the first big test of GDPR and some of these other laws and frameworks. He noted that the data breach at British Airways is of particular interest to him. (See British Airways Already Facing Lawsuits Following Data Breach.)

"You're not going to see the big numbers just yet. I think everyone is waiting around in anticipation of the 4% coming out," said Durbin, referring to the maximum fine under GDPR. "The British Airways breach is the one everyone is looking at. Some of the cleanup around that has been done exceptionally well and the ICO [Information Commissioner's Office] will take that into account, but they will want to drill into what went wrong."

In addition to ransomware and privacy laws, Durbin and ISF identified two other areas of concern:

IoT
The Internet of Things remains a concern for security pros, especially as the office and home spaces are increasingly mixed, with employees taking corporate data home, which leaves it exposed to an array of connected devices, such as smartphones, smart TVs and other gadgets. By increasing the attack service, more data remains at risk. Supply chain
By 2019, enterprises will give up trying to improve the security of their supply chain. Instead of focusing on the companies within the supply chain, businesses will put more emphasis on protecting individual components and intellectual property instead of the supply chain companies themselves. This again focuses efforts on corporate data and information and away from trying to ensure the security of a third-party supplier. Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24619
PUBLISHED: 2020-09-22
In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource.
CVE-2020-8887
PUBLISHED: 2020-09-22
Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauthenticated attacker to dump database contents via the page parameter in a page=login request to index.php (aka the server login page).
CVE-2020-7734
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.